processwire-issues icon indicating copy to clipboard operation
processwire-issues copied to clipboard

Published 20 hours ago verified publisher icon processwire

Selector Arrays automatically stripping out characters from values

Open thetuningspoon opened this issue 2 years ago • 3 comments

Short description of the issue

When I try to search for a page with a title that contains a '#' character using a selector array, the matching page is not found. It appears that selector arrays are automatically applying some kind of sanitizer to the values (my brief review of the code indicates that selectorValue is the sanitizer being applied)

Expected behavior

I mainly use selector arrays when I want to avoid having to use a sanitizer that might strip out characters that I need to match on but could be unsafe in the context of a selector string. I expect selector arrays to not apply any sanitizer to my values unless I specify one explicitly.

Actual behavior

I believe Sanitizer::selectorValue() is being applied automatically. When I specify 'text' as my sanitizer (third item in each array) then the page matches correctly.

Steps to reproduce the issue

  1. Create a page with the '#' character somewhere in the title
  2. Do a $pages->get() with selector array that searches for the title from above

Setup/Environment

  • ProcessWire version: 3.0.178

thetuningspoon avatar Sep 23 '22 15:09 thetuningspoon

Also, I could have sworn that Ryan added documentation of selector arrays to the Docs, but I can't find it anywhere.

thetuningspoon avatar Sep 23 '22 15:09 thetuningspoon

@thetuningspoon The selector arrays apply the selectorValue sanitizer automatically, and it's one of the reasons to use them, so that you don't have to specifically apply it on your own like you would with a selector string. For your case, you could specify 'text' for the sanitize method, or if you don't need a sanitizer you could just specify a blank string for that argument, which would prevent it from attempting any sanitization, i.e. [ 'field', 'operator', 'value', '' ]

ryancramerdesign avatar Nov 10 '22 16:11 ryancramerdesign

@ryancramerdesign Thanks. I thought that the selectorValue sanitizer was specifically for sanitizing a value in the context of a selector string, which is why it removes commas, quotes, and other characters that have special meaning in a selector string. Am I correct that there is no security concern in allowing these characters in the value of a selector array since the value is isolated in an array element? Or does the array get put back together into a string before being evaluated by ProcessWire?

Have selector arrays always applied the selectorValue sanitizer automatically? In the past I have used a selector array instead of a selector string in order to match a string that could have double quotes in it, and I thought it was working?

thetuningspoon avatar Nov 10 '22 17:11 thetuningspoon